Cyber-criminals have been exploiting the Windows PrintNightmare vulnerability to attack networks around the world.  PrintNightmare is the name given to a collection of vulnerabilities in the Windows Print Spooler.

According to reports from Talos and CrowdStrike, several threat actors have now incorporated the PrintNightmare vulnerabilities into attacks on their victims networks. The PrintNightmare vulnerabilities were first disclosed in June 2021 and since then several related vulnerabilities have been discovered in the Print Spooler subsystem on Windows systems. According to the Talos Incident Response team:

multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward.

Patches and mitigations that address these vulnerabilities have been published by Microsoft over the summer.  It is not surprising to see threat actors targeting widely publicised vulnerabilities, and Security Managers should expect to see an increase in focus on these and related vulnerabilities in the Windows Print Spooler subsystem and should consider prioritising the installation of these patches.

New Print Spooler patches in August security updates

Microsoft’s August security patch bundle included a fix for a newly disclosed Print Spooler Remote Code Execution vulnerability (CVE-2021-36958) which would allow an attacker to execute arbitrary code with SYSTEM privileges.  This vulnerability was reported to Microsoft back in December 2020 but was not disclosed or patched until 8 months later.

Until this new patch is installed, Microsoft advises that the only mitigation is to stop and disable the Print Spooler subsystem.